Internet Bug Bounty: Squid as reverse proxy RCE and data leak

Summary: This was a very difficult experience as Squid maintainers took a long time to answer. I tried getting help from HackerOne support, Dropbox support and the Internet Bug Bounty never e-mailed me back to no avail. What could have taken a few days took months. The vulnerability concerns a...

Content Delivery Networks handle HTTP headers in different and unexpected ways

Overview A Content Delivery Network CDN is a distributed network of proxy servers that deliver web content collected from a back end web server using a temporary local storage called a cache. HTTP cache poisoning is a type of attack that allows a remote attacker to inject arbitrary content using...

CVE-2018-12122

It was found that Node.js HTTP server was vulnerable to a Slowloris type attack. An attacker could make long lived connections by sending bytes very slowly to the server, saturating its resource and possibly resulting in a denial of service. Mitigation The use of a Load Balancer or a Reverse Prox...

HTTP Request Smuggling: Invalid whitespace characters in headers in Waitress

Impact If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Content-Length: 10 Transfer-Encoding: \x0bchunked For clarity: 0x0b == vertical...

HTTP Request Smuggling: Content-Length Sent Twice in Waitress

Impact Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. So a request with: Content-Length: 10 Content-Length: 10 would get transformed to: Content-Length: 10, 10 Whic...

HTTP Request Smuggling: LF vs CRLF handling in Waitress

Impact Waitress implemented a "MAY" part of the RFC7230 https://tools.ietf.org/html/rfc7230section-3.5 which states: Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR...

PT-2019-6231 · Waitress +3 · Waitress +3

Name of the Vulnerable Software and Affected Versions: Waitress versions 1.3.1 and earlier Description: The issue arises from Waitress implementing a "MAY" part of the RFC7230, which allows recognizing a single LF as a line terminator and ignoring any preceding CR. This can lead to a potential fo...

[SECURITY] Fedora 31 Update: haproxy-2.0.10-1.fc31

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

[SECURITY] Fedora 30 Update: haproxy-1.8.23-1.fc30

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

PT-2019-14826

Name of the Vulnerable Software and Affected Versions Puma versions prior to 3.12.2 Puma versions prior to 4.3.1 Description A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened th...

Debian DSA-4577-1 : haproxy - security update

Tim Dusterhus discovered that haproxy, a TCP/HTTP reverse proxy, did not properly sanitize HTTP headers when converting from HTTP/2 to HTTP/1. This would allow a remote user to perform CRLF injections. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were...

CVE-2019-4036

IBM Security Access Manager Appliance could allow unauthenticated attacker to cause a denial of service in the reverse proxy component. IBM X-Force ID: 156159...

CVE-2019-4036

CVE-2019-4036 affects IBM Security Access Manager Appliance. The available documents show unauthenticated remote denial-of-service against the reverse proxy, commonly associated with Slow HTTP/Slowloris abuse. Affected product: IBM Security Access Manager Appliance (ISAM Appliance); impact: denia...

New Cache Poisoning Attack Lets Attackers Target CDN Protected Sites

A team of German cybersecurity researchers has discovered a new cache poisoning attack against web caching systems that could be used by an attacker to force a targeted website into delivering error pages to most of its visitors instead of legitimate content or resources. The issue could affect...

New Cache Poisoning Attack Lets Attackers Target CDN Protected Sites

A team of German cybersecurity researchers has discovered a new cache poisoning attack against web caching systems that could be used by an attacker to force a targeted website into delivering error pages to most of its visitors instead of legitimate content or resources. The issue could affect...

Phishing Tool Analysis: Modlishka

Additional research and support provided by Danny Wasserman. Overview One of the goals of phishing sites is to lure individuals into providing sensitive data, such as personally identifiable information, banking and credit card details, and passwords, through the use of email, SMS, social media,...

Razer: Request Smuggling vulnerability due a vulnerable skipper reverse proxy running in the environment.

The tester discovered that a server was using Skipper as a reverse proxy that was not fully patched, allowing a request smuggling vulnerability. We thank the tester for his report and excellent PoC and his patience with the slow response of the engineering team...

CVE-2019-3878

A vulnerability was found in modauthmellon. If Apache is configured as a reverse proxy and modauthmellon is configured to only let through authenticated users with the require valid-user directive, adding special HTTP headers that are normally used to start the special SAML ECP non-browser based...

HTTP Request Smuggling

github.com/golang/go is vulnerable to HTTP request smuggling. The vulnerability exists as invalid HTTP/1.1 headers were accepted and normalized with a space before the colon, allowing a reverse proxy to interpret the headers differently...

go -- invalid headers are normalized, allowing request smuggling

The Go project reports: net/http through net/textproto used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse pro...